Is your cyber security function an enabler…or an enabler?
For a while now, security leaders have been re-positioning the cyber security function as an enabler. The definition of enabler is twofold. Firstly it can be a person or thing that makes something possible. However there is a second definition suggesting that an enabler is a person who encourages or enables negative or self-destructive behaviour in another.
Warning - I’m going to generalise - not all I’m about to say relates to all security teams but my worry is that, through no fault of their own, security teams are living the latter definition of enabler. We say that security needs to be ‘upfront’ and considered by the business, but the reality is that security is often a gate at the go/no go meeting that can cause projects to delay… or to deploy with accepted risks and a list of remediation tasks for future releases. The lack of value the business places on cyber security, leading to this late involvement is what causes the latter definition of ‘enabler’ to come to fruition. Stakeholders often take risks in order to avoid the advice from the security team that a project can't progress or an outcome can’t be achieved.
To positively enable (like the first definition), would require the security team to truly put controls in place, patterns, policies and structure for the business so that they know the bounds within which their innovation can operate. I’m not suggesting that the controls put in place need to cause the business to walk through treacle. I’m suggesting that with the foundations in place, security will be enabling the business to see what’s possible. Ultimately, we are service providers to the business, our job is to enable the business to deliver their outcomes securely with minimal real or perceived obstruction. To work, it needs for the CEO and board to back these conditions in which the organisations plans to do business. And it needs a CISO who is a commercially minded leader who can work with peer business leaders on scoping their vision and strategy while empowering the security team to support the organisation day to day. (aka Utopia…I know)
If we want the security function to truly enable, we need to get up close with the business long before what we currently define as ‘upfront’. We need security to form part of the foundations and for security to be the way things are done around here.
In your opinion, is your security function an enabler…or an enabler?